> 10. jan. 2021 kl. 14:47 skrev Steve Fairhead <[email protected]>: > > Hi folks, > > I hope I'm just missing something stupid. It's been a while since I deployed > public OpenBSD servers, but I've done plenty. I always use a defence in > pf.conf against brute-force SSH attacks, which has served me well in the past. > > On a new machine running 6.8, this no longer appears to work. I've stripped > it back to: > > table <scanners> persist file "/etc/scanners" > > block quick from <scanners> > > pass quick proto tcp from any to any port ssh flags S/SA keep state \ > (max-src-conn 10, max-src-conn-rate 3/15, overload <scanners> flush > global) > > (taken directly from https://home.nuug.no/~peter/pf/en/bruteforce.html )
Taking a peek at what I run the main difference I see is that I do a block by
default at the very beginning of my pf.conf, and
# pass proto tcp to port ssh
pass in quick log (all) on egress proto tcp to port ssh flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 2/10, overload <bruteforce> flush
global, pflow)
I also run a cron job twice an hour to stuff anything trying for obvious
stupidity like logging in as root or admin get added to the table (some
handwaving tips at
https://bsdly.blogspot.com/2017/04/forcing-password-gropers-through.html
- Peter
—
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP
